Security

How we handle your data.

Straight talk on how we protect your data — the controls we run today, and what's on the roadmap.
In place

What we've built.

Tenant isolation at the database layer

Isolation between customers is enforced in the database itself, not just in application code — so an application-layer bug cannot surface one customer's data to another.

No privileged credentials in the browser

The browser never holds privileged database credentials. Privileged operations run server-side through narrowly-scoped, audited procedures, and our build pipeline blocks any change that would ship a privileged key to the client.

Encrypted credential vault

OAuth tokens and other connector credentials are held in an encrypted vault, reachable only through a single audited path. Application roles cannot read them directly.

Server-side authorization

Background jobs re-derive and re-verify which customer they are acting for from trusted server state — never from the incoming request or event payload.

No customer content in telemetry

Our metrics pipeline captures only operational signals such as timings and status codes. Model inputs, model outputs, prompts, and other customer content never enter it.

Managed secrets + encryption everywhere

Production secrets live in a managed secrets service with least-privilege access. Data is encrypted in transit (TLS 1.2+) and at rest.

Not yet

What isn't in place yet.

SOC 2

In progress. Type I targeted H2 2026, Type II H1 2027. Running a security review now? Email us and we'll share our current controls documentation.

Data residency

Single-region today. EU-region storage is available on request for committed customers.

Third-party penetration test

Continuous dependency scanning and internal review today; a third-party penetration test is scheduled.

Responsible disclosure

Found a vulnerability? Email support@zaviagent.com. We aim to acknowledge within 24 hours and resolve P0 issues within 7 days. We don't have a bug bounty program yet — we'd rather pay you in founder time + a public credit.